A symmetric cryptographic algorithm uses a cryptosystem in which a same key is used for encryption and decryption, and is mainly applied to encrypt and decrypt data information. In some specific application scenarios, the symmetric cryptographic algorithm is implemented by using a hardware system. In case of limited hardware resource, reducing hardware resources occupied for implementing the symmetric cryptographic algorithm becomes a primary consideration for designing a solution of the symmetric cryptographic algorithm.
In the framework of the symmetric cryptographic algorithm, S boxes normally are necessary function components for implementing the symmetric cryptographic algorithm. The S boxes mainly implement the function of table lookup in a table with N-bit input and M-bit output. Hardware implementation for the lookup table may occupy a lot of resources, and in some symmetric cryptographic algorithms, there may be multiple S boxes that are the same.
In the field of the symmetric cryptographic algorithm, there are lots of algorithms, in which S boxes are used as function components, such as the advanced encryption standard (AES) cryptographic algorithm, the block cipher algorithm SM4 and the ZUC stream cipher algorithm. The S boxes used as function components in these algorithms are briefly described in the following.
1. AES Cryptographic Algorithm
In advanced encryption standard (AES) cryptographic algorithm, a key length may be any one of 128 bits, 192 bits or 256 bits, a packet length is fixed at 128 bits. FIG. 1 shows a flow chart of the algorithm, including an encryption process and a decryption process, which are conventional processes and are not described herein. FIG. 2 shows a key expansion process by taking the case that the key length is 128 bits as an example, which is a conventional process and is not described herein.
In the framework of the AES cryptographic algorithm, steps of using S boxes to implement table lookup operation include a byte substitution step in the encryption process, an inverse byte substitution step in the decryption process and a byte substitution step in the key expansion process. FIGS. 3a-3c are schematic diagrams of a way for using S boxes, where there are two types of S boxes, i.e., S boxes and inverse S boxes.
As shown in FIG. 3a, an implementation process for the byte substitution step in the encryption process includes:
1) using data to be encrypted, which has a packet length of 128 bits, as input data, and dividing the input data into 16 segments each having 8 bits;
2) selecting 16 S boxes, where each S box corresponds to one 8-bit segment, and the 16 S boxes may perform table lookup at the same time;
3) using each S box to perform table lookup for once on a corresponding 8-bit segment and to output 8-bit data based on the table lookup, and cascading the 16 pieces of 8-bit output data to form 128-bit output data; and
4) ending the byte substitution step in the encryption process.
As shown in FIG. 3b, an implementation process for the inverse byte substitution in the decryption process includes:
1) using data to be decrypted, which has a packet length of 128 bits, as input data, and dividing the input data into 16 segments each having 8 bits;
2) selecting 16 inverse S boxes, where each inverse S box corresponds to one 8-bit segment, and the 16 inverse S boxes may perform table lookup at the same time;
3) using each inverse S box to perform table lookup for once on a corresponding 8-bit segment and to output 8-bit data based on the table lookup, and cascading the 16 pieces of 8-bit output data to form 128-bit output data; and
4) ending the inverse byte substitution step in the decryption process.
As shown in FIG. 3c, an implementation process for the byte substitution step in the key expansion process includes:
1) using key data with a length of 32 bits as input data, and dividing the input data into 4 segments each having 8 bits;
2) selecting 4 S boxes, where each S box corresponds to one 8-bit segment, and the 4 S boxes may perform table lookup at the same time;
3) using each S box to perform table lookup for once on a corresponding 8-bit segment and to output 8-bit data based on the table lookup, and cascading the 4 pieces of 8-bit output data to form 32-bit output data; and
4) ending the byte substitution step in the key expansion process.
It may be seen from the foregoing description that 20 S boxes and 16 inverse S boxes are needed to implement the AES cryptographic algorithm.
2. SM4 Cryptographic Algorithm
In the SM4 cryptographic algorithm, a key length and a packet length are both fixed at 128 bits. FIG. 4 shows an encryption process in the SM4 cryptographic algorithm, FIG. 5 shows a decryption process in the SM4 cryptographic algorithm and FIG. 6 shows a key expansion process in the SM4 cryptographic algorithm. The specific processes of encryption, decryption and key expansion are conventional processes, and are not described herein.
In the framework of the SM4 cryptographic algorithm, steps of using S boxes to implement table lookup operation include a byte substitution step in the encryption process, a byte substitution step in the decryption process and a byte substitution step in the key expansion process. FIG. 7 shows a way for using the S boxes, where there is only one type of S boxes, i.e., S boxes used to perform encryption, decryption and key expansion have a same type, and same S boxes are used to perform both the encryption and the decryption.
As shown in FIG. 7, an implementation process for the byte substitution steps in the encryption process, decryption process and key expansion process of the SM4 cryptographic algorithm includes:
1) using data with a length of 32 bits as input data, and dividing the input data into 4 segments each have 8 bits;
2) selecting 4 S boxes, where each S box corresponds to one 8-bit segment, and the boxes may perform table lookup at the same time;
3) using each S box to perform table lookup for once on corresponding 8-bit segment and to output 8-bit data based on the table lookup, and cascading the 4 pieces of 8-bit output data to form 32-bit output data; and
4) ending the byte substitution step.
It may be seen from the foregoing description that if S boxes are not reused, 8 S boxes are needed to complete the SM4 cryptographic algorithm.
3. ZUC Cryptographic Algorithm
The ZUC algorithm is a word-oriented stream cipher algorithm, in which the input is a 128-bit key Key and a 128-bit initial vector IV, and 32-bit key words are continually output according to the length requirement of the key. FIG. 8 shows the framework of the ZUE algorithm, and the specific algorithm process is a conventional process and is not described herein. In the algorithm framework, steps in which S boxes are used to perform table lookup include steps for evaluating R1 and R2 in a nonlinear function F.
FIG. 9 is a schematic diagram of a way for using S boxes, where there are two types of S boxes, i.e., S0 boxes and S1 boxes.
As shown in FIG. 9, in the ZUC algorithm, during evaluating R1 and R2 in the nonlinear function F, the process of implementing table lookup using S boxes includes:
1) using data with a length of 32 bits as input data, and dividing the input data into 4 segments each having 8 bits;
2) selecting 4 S boxes, including two S0 boxes and two S1 boxes, where the S0 boxes correspond to the first and the third segments of the four segments, S1 boxes correspond to the second and fourth segments of the four segments, each S box corresponds to one 8-bit segment, and 4 S boxes may perform table lookup at the same time.
3) using each S box to perform table lookup for once on corresponding 8-bit segment and to output 8-bit data based on the table lookup, and cascading the 4 pieces of 8-bit output data to form 32-bit output data; and
4) ending the table lookup process performed by using the S boxes.
It may be seen from the foregoing description that if the S boxes are not reused, 2 S0 boxes and 2 S1 boxes are needed to complete the ZUC cryptographic algorithm.
In the AEC cryptographic algorithm, the SM4 cryptographic algorithm and the ZUC cryptographic algorithm, all components implementing encryption function form an encryption unit, all components implementing decryption function form a decryption unit, all components configured to generate keys form a key expansion unit, and units for completing S box table lookup function, which are similar to those shown in FIG. 3a, FIG. 3b, FIG. 3c, FIG. 7 and FIG. 9, are called table lookup units.
It is can be known from implementation principles for encryption and decryption in the AES cryptographic algorithm, the SM4 cryptographic algorithm and the ZUC cryptographic algorithm, a large number of S boxes may be used in the encryption and decryption processes for the various algorithms, therefore in a case hardware is used to implement encryption and decryption, the S boxes may occupy a lot of hardware resources, which is unsatisfactory in case of limited resources.